Openclaw Huggingface
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Hugging Face CLI helper, but it can use your Hugging Face token to upload, modify, or delete Hub resources, so users should review commands before running them.
Install only if you want the agent to operate the Hugging Face CLI on your behalf. Use a scoped Hugging Face token, confirm destructive actions such as repository deletion or moves, and carefully inspect any local directory before uploading it.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could publish local files or make lasting changes to Hugging Face repositories.
The skill documents Hugging Face CLI commands that can delete or move repositories and upload the current directory. These actions are aligned with the stated management purpose, but they are high-impact operations that should require clear user intent.
hf repos delete username/repo-name ... hf repos move old-namespace/my-model new-namespace/my-model ... hf upload my-cool-model . .
Review each upload, delete, move, privacy, or branch/tag change before execution, and avoid using broad paths like `.` unless you have checked the directory contents.
A token with write or admin permissions could let the agent modify, upload to, or delete resources in the associated Hugging Face account.
The skill requires and manages Hugging Face authentication. This is expected for the integration, but the token's permissions determine what the agent can access or change.
`HF_TOKEN`: Hugging Face API Token ... hf auth login ... hf auth list ... hf auth switch
Use the least-privileged Hugging Face token needed for the task, prefer scoped tokens, and revoke or rotate tokens if they are no longer needed.